Security in Wireless Local Area Networks

When the wireless communications is coming to the offices and the
homes, there
are some new security issues to be taken care of.
Today we have continuously growing markets for the wireless LANs,
but there is
big black hole in the security of this kind of networks. This paper gives an
overview of the security functions specified in two wireless LAN standard,
namely in the IEEE 802.11 and the HIPERLAN. There is also some
discussion about the threats and vulnerabilities in wireless networks
compared to wired networks. And last but not least the protocols and
mechanisms needed in the secure wireless LAN are described.

Around 1980 was the concept of the wireless LAN introduced and since
1985 have many companies tried to implement variety of wireless LAN
applications using spread spectrum, infrared and traditional wide band
radio [1] technologies. Now is the real
breakthrough of the wideband wireless applications happening; the IEEE
802.11 standard, approved June 1997, gives a solid platform for new
applications and the chips supporting IEEE 802.11 are already in the
market. The wireless office market revenue was year 1996 $390 million from
which $218 million belonged to wireless LANs and
it is expected to break a billion dollar in early next
millennium [1].

The commercial wireless LAN applications can be divided in five
category [2]:

LAN extension - indoor wire replacement

Inter-LAN bridges - outdoor wire replacement

Campus Area Networks (CAN) - wireless LANs with infrastructure

Ad-hoc networking - wireless LANs without infrastructure

Nomadic access - a wireless LAN service

Today's existing applications aims at four category of applications
[2]:

Healthcare industry

Factory floors

Banking industry

Educational institutions

The security issues in the wireless environment are much more stressed
than in the wired networks, but there are still products without any
security functions and even the IEEE 802.11 specifies the security
functions as an optional feature. Anyhow the security in the
Internet is coming more and more vital and the IPSEC concept and IPv6 are
going to demand the ciphering and authentication as mandatory
functions in the network equipment. So there is a real need for
developing the security in the wireless networks.

In this paper, the term "HIPERLAN" is used to refer to HIPERLAN,
Type 1 [3].

HIPERLAN is ETSI's wireless broadband access standard, which defines
the MAC sublayer, the Channel Access Control (CAC) sublayer and
the physical layer. The MAC accesses the physical layer through the CAC,
which allows easy adaptation for different physical layers. Currently
defined physical layers use 5.15 - 5.30 GHz frequency band and
support 2 048 Kbps synchronous traffic and up to 25 Mbps asynchronous
traffic. HIPERLAN has following properties [3]:

it provides a service that is compatible with the ISO MAC service
definition in ISO/IEC 15 802-1 [4]

its operations are compatible with the ISO MAC bridges
specification ISO/IEC 10 038 for interconnection with other LANs [4]

it may be deployed in pre-arranged or an ad-hoc fashion

it supports node mobility

it may have a coverage beyond the radio range limitation of
single node

it supports both asynchronous and time-bounded communication by
means of a Channel Access Mechanism (CAM) with priorities providing
hierarchical independence of performance

its nodes may attempt to conserve power in communication by
arranging when they need to be active for reception

The HIPERLAN specification [3] defines an
encryption-decryption scheme for optional use in the HIPERLAN. In this
scheme, all HM-enties of a HIPERLAN shall use a common set of shared
keys, referred as the HIPERLAN key-set. Each of these keys has an
unique key identifier. Plain text is ciphered by XOR operation with
random sequence generated by confidential [5]
algorithm, which uses as an input the secret key and initialization
vector send in every MPDU (see figure 1). ETSI
claims that defined
scheme utilizes the level of protection of a wired LAN [3].
Figure 1: HIPERLAN encryption-decryption scheme [3]

It is impossible to say anything for sure about the protection
level that
the WEP offers, because the algorithms are not available. But the
lack of the independent and public analysis arouses some suspicions
about the strength of the algorithms. The HIPERLAN standard does not
define any kind of authentication, which sounds very strange for this
kind of system. In my humble opinion one should not trust the
security level offered by the HIPERLAN specification in any sensitive
application, but use some
additional mechanism to gain the security requirements sat to the
wireless LAN.

The IEEE 802.11 standard defines the physical layers and the MAC
sublayers for
the wireless LANs. There are three different physical layers: Frequency
Hopping Spread Spectrum Radio, Direct Sequence Spread Spectrum Radio
and Baseband Infrared. All physical layers can offer 2 Mbps data rate,
the radio PHYs uses 2 400 - 2 483.5 MHz frequency band. The MAC layer
is common for all three PHY and has the following features [2]:

Support of Iso-chronous as well as Asynchronous data

Support of priority

Association/Disassociation to an AP in a BSS or ESS

Re-association or Mobility Management to transfer of association
from one AP to another

Power Management to save in the battery time

Authentication to establish identity of the terminals

Acknowledgment to ensure reliable wireless transmission

Timing Synchronization to coordinate the terminals

Sequencing with duplication detection and recovery

Fragmentation / Re-assembly

The IEEE 802.11 defines two authentication schemes: Open System
Authentication and Shared Key Authentication. The former is actually a
null authentication, all mobiles requesting the access are accepted to the
network. The
later one uses shared key cryptography to authenticate the mobile. When
a mobile request authentication, the base sends 128 octet ( 1024 bits )
long random
number to the mobile encrypted using shared key. The mobile decrypts the
random number using the same shared key than the base and sends that back
to the base. If the number that the base receives is correct, the
mobile is accepted to the network. All mobiles allowed to connect to
the network uses the same shared key, so this authentication method
is only able to verify if the particular mobile belongs to the group
of the mobiles
allowed to connect to the network, but there is no way to distinct the
mobiles
from each other. There are also no means to authenticate the network by
the mobile. The IEEE 802.11 does not define any key management
functions.

The IEEE 802.11 defines an optional Wired Equivalent Privacy (WEP)
mechanism to implement the confidentiality and integrity of the
traffic in the
network. WEP is used at the station-to-station level and does not
offer any end-to-end security. WEP uses the RC4 PRNG [8] algorithm
based on a 40 bit secret key and a 24 bit initialization vector (IV)
send with the data. WEP includes an integrity check vector (ICV) to
allow integrity check. One MPDU frame contains the clear text IV and
ICV and the cipher text data block, so receiver is always able to
decrypt
the cipher text block and to check the integrity. The IV can
always be new or reused for a limited time. The scheme is illustrated in
figure 2.

The PRNG algorithm used in IEEE 802.11 is RC4 [8] from RSA inc. The actual algorithm is not
public, but has been studyed in independent research laboratories
under nondisclossure agreements and no weaknesses has not yet been reported,
which does not guarantee that these does not exist. Anyway the secret
key used is only 40 bits long, which can be solved by brute-force
attack in 2 seconds with $100 000 hardware and 0.2 seconds with $1 000
000 hardware according the 1995 figures [13]; today the hardware prices are significantly
lower. And even with some additional strength gained with variable IV
the protection level of WEP may not be considered strength enough for
the most sensitive applications. The Shared Key Authentication scheme
could be easily fooled using for example the play-back attack. So
anyway an additional authentication mechanism is needed.

In this section we will concentrate on the wireless LANs using the
radio path as a transmission medium.

In the wireless LAN environment we have to deal with all the same security
problems, which we have in the conventional wired LAN environment. But then
we have some security issues, which are stressed when we are using
the radio path. The currently know active attacks can be divided in
the following categories
[9]:

Social engineering

Impersonation

Exploits

Data driven

Transitive trust

Infrastructure

Denial of Service

The four first of these are similar in wired and wireless
environment, so these are not discussed in this paper. Despite of the
active
attacks there exists the passive eavesdropping which is discussed at
first.

Eavesdropping is very easy in the radio environment, when one sends
a message over the radio path, everyone equipped with a suitable
transceiver
in the range of the transmission can eavesdrop the message. This
kind
of transceiver equipment, for example standard wireless LAN mobile,
maybe with special antenna, are very reasonable priced. The
sender or intended receiver has no means to know if the transmission
has been eavesdrop or not, so this kind of eavesdropping is absolutely
undetectable.

The frequency band and transceiver power used has a great
effect on the range
where the transmission can be heard. When we are using 2 or 5 MHz
radio band and transceiver power up to 1 W, as in the case of
the current wireless LAN standards, the traffic of wireless LAN can be
eavesdropped from outside the building which the network is
operating if there is no special electromagnetic shielding. So we can
not truly trust that our network stays inside our office building.

In the wireless LAN environment the ease of eavesdropping justifies
quite costly procedures to guarantee the confidentiality of the network
traffic. In all wireless LAN standards this is taken care by some kind
of link level ciphering done by MAC-entities, but the safety gained
with these algorithms may not be good enough for the most demanding
applications.

When we have a wireless LAN as a part of our enterprise network, it
offers one interface to the attacker, requiring no physical
arrangements, to intrude on our network. In wired networks we can
always track the wire from our computer to the next network node, but
when we are working in the wireless environment there is no such way to find
out with whom we are talking to. That makes the efficient authentication
mechanisms crucial for the security of the wireless LANs. In all cases
the both parties of the transmission should be able to authenticate
each others.

The wireless LAN could be used as a launch pad to the transitive trust
attack. If the attacker can fool our wireless LAN to trust the mobile
he controls, then there is one hostile network node inside all
firewalls of our enterprise network and it is very difficult to
prevent any hostile actions after that. This kind of attack can be
done from outside of our site with standard wireless LAN hardware
compatible with our equipment.
The only real protection
against this kind of attacks is the strong authentication mechanism of
the mobiles accessing the wireless LAN. The discovery of the
unsuccessful attacks must rely on the logging of unsuccessful logging
attempts, but it might be very hard to find out if there has been a real
attack attempt, because in the normal operation there comes
unsuccessful logon attempts due the high BER in radio path and from
mobiles that belongs to some other
wireless LAN.

The other kind of transitive trust attack, special for wireless
networks, is fooling the mobile to trust the base controlled by
attacker as our base. When mobile is switched on it usually tries first
to logon the network with strongest signal and if that fails
then the rest ones in the order of the signal power. Now, if attacker
has a base with high transmission power, he may be able to fool our
mobiles to try first to logon the attackers network. Now there is
basically two possibilities: the attacker may let as to logon his
network and make it pretend our network and find out the passwords
secret keys, etc. or the attacker may just
reject our logon attempts but record all the messages during the
logon process and find out the secret keys or passwords used in
authentication in our network by analyzing these messages. The former
case is very difficult to implement without very detailed information
about our network services and is probably detected very soon, but the
later one requires just standard base hardware, maybe with a special
antenna, compatible with our equipment, and is very difficult to
detect, because the mobiles do not usually report unsuccessful logon
tries to the upper layers and the are a lot of unsuccessful logon
attempts even in the normal circumstances. The only protection against
these attacks is an efficient authentication mechanism which allows the
mobile authenticate the base without any disclosure of the secret
keys or passwords it uses to logon our network.

The Infrastructure attacks are based on some weakness in the system: the
software bug, configuration mistake, hardware failure, etc. This kind
of situations will certainly occur in wireless LANs, too. But
protection against this kind of attacks are almost impossible - You do
not know about the bug until something happens. So the only thing to
do is to keep the possible damages as small as possible.

Due the nature of the radio transmission the wireless LANs are very
vulnerable against denial of service attacks. If attacker has powerful
enough transceiver, he can easily generate such a radio interference
that our wireless LAN is unable to communicate using radio
path. This kind of attack can be done from outside of our site, for
example
from a van parked on the street or from an apartment in the next
block. Equipment needed to commit this kind of attack can be bought
from any electronic store with reasonable price and any short-wave
radio enthusiast has the knowledge needed to construct the
equipment.

The protection against this kind of attacks is very difficult and
expensive. The only total solution is to have our wireless network
inside of the faraday cage, but this is applicable only in the very rare
cases. But it is easy for authorities to locate the transceiver used to
generate interference, so the attacker has limited time before the
transceiver is found.

In the other hand the wireless LANs are not so vulnerable than the wired
LANs to the other kind of denial of service attacks. For example the fixed
LAN node can be isolated from the network by simple cutting the wire,
which is not possible in wireless environment. If attacker cuts down
the power of the whole site, then all wired networks are usually useless,
but the wireless LANs can be used in the ad-hoc configuration with laptops or
other battery powered computers.

One can easily see that the standards described in chapter 3 does
not fulfill
the security requirements against the attacks described in chapter
4. This
section will present some mechanisms and protocols that makes the
wireless LANs safer.

The major requirement for this kind of solution is the seamless
integration into existing wired networks. It is very probable that we
have plenty of fixed network nodes already
installed in our enterprise network, so we should avoid
any modifications needs to the existing nodes.

There are different alternatives for securing a connection: end-to-end
security at the application level, end-to-end security at the
transport layer and link security at the link layer. In current data
networks are only few commonly used end-to-end security schemes (like SSL
and SSH), so the
link security is the only applicable approach, if we want to leave our
existing network alone.

Dropping end-to-end mechanisms out rules the user authentication
out. We have only station-to-station (or machine-to-machine)
authentication left, since those are the entities primry
communicating over the wireless link. Machine-to-machine
authentication is in fact conceptually correct for a security protocol
at the link layer [10].

Another design goal is the two-way authentication, for the reasons
discussed in 4.2 it is vital that both the base and the mobile are
able to authenticate each others. Authentication mechanism should enable the
identification of the mobiles and allow distinct keys used in
different bases and mobiles.

The final goal is to have some flexibility to utilize the future
advances in the cryptography. The should also be some
interoperability between all versions of the wireless products, even
if there exist different regulatory limitations for the use of the
cryptography.

The solution discussed here needs several modifications for
current wireless LAN products and standards, so the implementation of
this solution is not currently feasible. But the aim is more to show
the direction to which the evolution should go.

This is a hybrid solution: the authentication is done using public
key cryptography and the ciphering of the transmission uses shared
key cryptography. Shared keys are created during the authentication
and may be changed during the transmission. The actual cryptography
algorithms are not defined, because of the rapid development in this
area.

The authorization mechanism uses certificates formatted according to
CCITT X.509 [11] used in X.500 and PEM. A
certificate contains the following information: {Serial Number,
Validity Period, Machine Name, Machine Public Key, CA name}. Each
certificate is signed by CA which might in our case be the enterprise's
own CA.

The first message send from the mobile to the base contains following
information: {Cert_Mobile, CH1, List of SKCSs}. CH1 is randomly
generated number. The List of SKCSs is transmitted to allow
negotiation of the used algorithm, the algorithm identifier and the
key size are sent in the list.

When the base has received the first message, it will attempt to verify
the signature on Cert_Mobile. A valid signature proofs the public key
in the certificate belongs to a certified mobile host but it is not
sure if the certificate actually belongs to the mobile that submitted
it. If the certificate is invalid, the base rejects the connection
attempt.

Now the base will reply to the mobile by sending the message
containing {Cert_Base, E(Pub_Mobile, RN1), Chosen SKCS,
Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, CH1, List of
SKCSs}}}. Random Number RN1 is saved internally for later
use. Chosen SKCS is one from the list sent by mobile and includes
the algorithm identifier and the key size, the Chosen SKCS is the most
secure from those supported by both the base and the mobile.

The mobile validates Cert_Base, if certificate is valid, the
Mobile will verify using the public key of the Base the signature off
the message. The signature is valid and the base authenticated if the
CH1 and the List of SKCSs matches with those sent by mobile to the
base. Since the list of SKCSs is included in the signature, the
attacker can not send the weakened list of SKCSs by jamming original
message and sending his own, and we need not to sign the first
message.

Now the mobile sends to the base message containing: {E(Pub_Base, RN2),
Sig{Priv_Mobile, {E(Pub_Base, RN2), E(Pub_Mobile, RN1)}}}. The RN2
is a random number generated by the mobile. The mobile will use the
RN1 XOR RN2 as a session key for now on.

The Base verifies the signature of the message using Pub_Mobile
obtained from Cert_Mobile in the first message. If the signature is
valid, the mobile is authenticated. Next the base will decrypt
E(Pub_Base, RN2) with it's own private key. Now the base can form the
session key RN1 XOR RN2.

The session key is formed from two parts sent in different messages
to gain better protection. Now the compromising of the mobile's private
key does not compromise the whole traffic between the base and the
mobile. Since the both halves of the session key are random and equal
length, knowing either RN1 or RN2 tells nothing about the session key.

If all these steps has succeeded the mutual authentication has been done
and the session is established. Figure 3 summarizes the
authentication protocol. The correctness of this protocol is proofed
in [10].

This authentication should be done in the MAC layer, before any
network access is granted to the mobile. If we give to the mobile IP
address before the authentication, it may be used as a launch pad even
if it's authentication request is rejected.
Figure 3: Authentication Protocol [10]

The confidentiality can be archived by using some
existing symmetric cryptography algorithm, like IDEA or DES. Once the
session key is agreed, using mechanism described in 5.3, available
algorithms are strong enough for our purposes. Anyhow the high BER
on the radio link may set some limitations for the selected
algorithm.

The integrity is archieved by a fingerprint generated by some
one-way hash function, like MD5
or SHA. There should be a fingerprint in each MPDU message, because of
the high pakect loss rate in the wireless environment.

There should be some link level ciphering in any case. If we are
using some ciphering in our fixed network (e.g. IPSEC), then we can
select weaker ciphering for the wireless LANs in the link level. But there
should in anyway be some ciphering: To defend against traffic analysis
we have to cipher also the network layer headers.

Again the value new_RN1 XOR new_RN2 is used as the new session key. The
values RN1 and RN2 are always the last ones used. In both cases the
RN1 always refers to the random number generated by the base and RN2 the
random number generated by the mobile. The values of RN1 and RN2 are
verified against the internally saved values and if those does not
match, the key exchange is ignored. Now the key exchanges can not be
played back and we do not need to save any sequence numbers.

The key management is one of the stuffest part implement convenient
way.
One possible procedure using the smart card technology is
described below:

CA creates the private and public keys inside the smard card by
the way that the private key is never readable from the smart card.

CA signs the public key with his private key and stored the signed
public key to the smart card.

The smart card is given to the end user, which may now use the
smart card in any wireless LAN mobile.

In order to avoid reading the private key from the
smart card the public key cryptography system must be run inside
the smart card and the calculation power of the smart cards sets some
limitations for the efficiency of this approach. Of course the smart
card reader is needed for each mobile used in the wireless LAN. But it
is not very wild guess that the smart card technology will become more
efficient and cheaper in the near future.

The concept described here is not the only one: it is also
possible to use the Wep of Trust scheme for the key management (like
in PGP) or the
user may generate the key par by himself and then give the public key
to the CA for the certificate signing, but the user identification must be
somehow done also in this case.

The solution described above fulfills are goals stated in 5.1: The
authentication mechanism implements the mutual authentication. The
negotiation of the symmetric cryptography algorithm gives some
flexibility between different versions and allows future
enhancements. The concept does not need any modifications to the existing
networks.

This solution is designed for maximum security, which may limit the
performance of the network. One may consider using faster ciphering
for example the insensitive video clips, but a much better (and
therefore slower) ciphering for sensitive traffic. There is no
end-to-end security offered, that must be taken care in upper layers.

Key management using the smart cards has been found quite
functional even in mass products, like GSM. The major challenge is the
limited computing power in the smart card, which leads to the longer
authentication time. The time used for authentication may become critical
if mobile moves from one base station to another and the hand over
procedure must be performed.
The authentication procedure during hand
over could be speed up by using different authentication scheme
described in [12], but
this kind of optimization is out of the scope of this paper.
The longer computing time leads also to the
greater power consuption, which is always one critical aspect in the
mobile environment.

This concept does not support multiple CAs and in large networks
that may become a problem, anyhow the multiple CA support could be
archived with just minor modifications described in [10]. Another problem for this kind of concept is
multicast support, this solution has no support for ciphered multicast.

The current wireless LAN standards offer very unsatisfactory level
of security and one could not truly trust them. When using products
based on these standards must the security issues been taken care in
the upper layers. The authentication mechanism described in 5.3 may be
used over IP to perform end-to-end authentication, as described in [12], but this approach
gives a potential launch pad for the attacker.

Some commonly used attacks are more stressed in wireless
environment and some additional effort should be used to prevent
those. The nature of the radio communication makes it practically
impossible to
prevent some attacks, like denial of service using radio
interference. When the wireless networks are used in strategic
applications, like manufacturing or hospitals, the possibility of this
kind of attack should be taken into account with a great care.

As showed in chapter 5 the quite secure wireless LAN is possible to
implement with current technology. The current hardware could be used
with only some modifications in the MAC layer protocols and over that
new MAC the current IP may be used without any problems. Anyway it is
not probable that products supporting this level of security comes to
the markets soon, mostly due the USA regulations; almost all manufactures
are American.